1

My server (CentOS) recently got hacked by some Crypto Hackers. They encrypted all of my files and asking for ransom to decrypt the files. They kept a message in all folders, which start like this

Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer.
To decrypt files you need to obtain the private key.
The single copy of the private key, which will allow to decrypt the files, located on a secret server on the Internet. After that, nobody and never will be able to restore files...
To obtain the private key for this computer, which will automatically decrypt files, you need to pay 1 bitcoins (~240 USD). Without key, you will never be able to get your original files back...

Now they have sent me the decrypt keys and I'm still Could someone please help me how I can recover my files?
What are the possible vulnerabilities that they took advantage of? Any other tips/pointers to avoid future threats? Thanks in advance.

Edit: They send me a PHP script with the private key, which I should upload to the server and run through a URL. Here is the decrypt file they sent me.

Shameer
  • 111

2 Answers2

2

Just some general tips to avoid malware infection and other security breaches:

  • keep your system up to date
  • work as much as possible as an unprivileged user and use sudo (or similar) to execute administrative commands
  • don't disable SELinux
  • don't open links in emails and the like unless you trust the source
  • disable services you don't really need/use
  • operate a firewall at least on the edge of your network
  • monitor log files for suspicious activity either manually or with the help of an intrusion detection system

And in addition to the above: make sure you have a current backup that you know you can restore.

Bram
  • 1,123
2

If you extract the 3 lines $so32, $so64 and $so and then decode them you get 3 binaries.

I extracted them by simply removing the PHP code in between these lines and "converted" it to a bash script that basically writes them to files.

Something like:

so32="f0VMRgEBAQMA..."
so64="f0VMRgEBAQMA..."
so="f0VMRgEBAQMA..."
echo $so32 | base64 --decode > /tmp/so.decoded
echo $so64 | base64 --decode > /tmp/so32.decoded
echo $so | base64 --decode > /tmp/so64.decoded

They appear to be UPX-packed binaries which at least according to this article matches the cryptolocker decoding application.

file /tmp/so*
/tmp/so32.decoded: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
/tmp/so64.decoded: ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
/tmp/so.decoded:   ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), statically linked, for FreeBSD 10.1, not stripped
strings /tmp/so64.decoded -n 30
$Info: This file is packed with the UPX executable packer http://upx.sf.net $
$Id: UPX 3.91 Copyright (C) 1996-2013 the UPX Team. All Rights Reserved. $

But I don't know of any way to unpack these to check what the binaries would do. Considering where you got this file you will have to decide whether you want to take the risk of running these.

And if the site was taken down in the mean time there is no guarantee this will even still work.

Bram
  • 1,123